Firewall Rule Deleted Via Netsh.EXE
Detects the removal of a port or application rule in the Windows Firewall configuration using netsh
Sigma rule (View on GitHub)
1title: Firewall Rule Deleted Via Netsh.EXE
2id: 1a5fefe6-734f-452e-a07d-fc1c35bce4b2
3status: test
4description: Detects the removal of a port or application rule in the Windows Firewall configuration using netsh
5references:
6 - https://app.any.run/tasks/8bbd5b4c-b82d-4e6d-a3ea-d454594a37cc/
7author: frack113
8date: 2022-08-14
9modified: 2023-02-10
10tags:
11 - attack.defense-evasion
12 - attack.t1562.004
13logsource:
14 category: process_creation
15 product: windows
16detection:
17 selection_img:
18 - Image|endswith: '\netsh.exe'
19 - OriginalFileName: 'netsh.exe'
20 selection_cli:
21 CommandLine|contains|all:
22 - 'firewall'
23 - 'delete '
24 filter_optional_dropbox:
25 ParentImage|endswith: '\Dropbox.exe'
26 CommandLine|contains: 'name=Dropbox'
27 condition: all of selection_* and not 1 of filter_optional_*
28falsepositives:
29 - Legitimate administration activity
30 - Software installations and removal
31level: medium
References
Related rules
- Azure Firewall Modified or Deleted
- Azure Firewall Rule Collection Modified or Deleted
- Bpfdoor TCP Ports Redirect
- Disable Microsoft Defender Firewall via Registry
- Disable System Firewall